Created attachment 8975 [details] pdf file that crashes ghostscript Attached is a sample file that fails (pse2.pdf). I use command line: gswin32c -sDEVICE=tiffgray -sOutputFile=p2.tif pse2.pdf and after getting few lines of output (below) (and drawing about 10% of the image) program just crashes: GPL Ghostscript 9.06 (2012-08-08) Copyright (C) 2012 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 2624740 1293751 5335512 4023175 3 done. as a side note, ghostscript 8.71 can handle this file just fine, while all 9.0x versions I tried failed.
One more note (hopefully to save you some time) - if I try it with "-dDEBUG" then (after generating a ton of output) it finishes fine; but if I also add -r300 then the debug mode fails too
The problem is reproduced at 300 dpi in the current development version. Process terminating with default action of signal 11 (SIGSEGV) Access not within mapped region at address 0x0 at 0x5FA5E5: pdf14_pattern_trans_render (gdevp14.c:2584) by 0xA5891E: gx_image1_flush (gxidata.c:276) by 0xA58762: gx_image1_plane_data (gxidata.c:233) by 0xA5B824: gx_image_plane_data_rows (gximage.c:183) by 0xA5B7EB: gx_image_plane_data (gximage.c:175) by 0x7BB938: clist_playback_band (gxclrast.c:1508) by 0x7C5239: clist_playback_file_bands (gxclread.c:854) by 0x7C4DFF: clist_render_rectangle (gxclread.c:783) by 0x7C4A8F: clist_rasterize_lines (gxclread.c:695) by 0x7C45BF: clist_get_bits_rectangle (gxclread.c:586) by 0x7E4D5D: clist_get_bits_rect_mt (gxclthrd.c:545) by 0xA910D9: gx_default_get_bits (gdevdgbr.c:54)
The problem first appears in the commit 7d9cc2d6efc52209db67bc36bd52ee7228916bf7
Created attachment 9226 [details] Simplified sample file. This file draws semi-transparent pattern through imagemask.
Fixed with http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f4a1368a6585d20a218acd236d97706401a1b8c1
Reopening. This segfaults for me: debugbin/gswin32c -r300 -dMaxBitmap=0 -Z: -sDEVICE=psdcmyk -o x.psd \ tests_private/comparefiles/Bug693365.pdf Call stack (partial): tile_rect_trans_simple(int xmin=0x000005f6, int ymin=0x00000033, int xmax=0x000005fa, int ymax=0x00000034, int px=0x000000ad, int py=0x0000006e, const gx_color_tile_s * ptile=0x0318e8a0, gx_pattern_trans_s * fill_trans_buffer=0x00000000) Line 720 tile_by_steps_trans(tile_fill_trans_state_s * ptfs=0x000c8e50, int x0=0x000005f5, int y0=0x00000033, int w0=0x00000005, int h0=0x00000001, gx_pattern_trans_s * fill_trans_buffer=0x00000000, const gx_color_tile_s * ptile=0x0318e8a0) Line 688 gx_trans_pattern_fill_rect(int xmin=0x000005f5, int ymin=0x00000033, int xmax=0x000005fa, int ymax=0x00000034, gx_color_tile_s * ptile=0x0318e8a0, gx_pattern_trans_s * fill_trans_buffer=0x00000000, gs_int_point_s phase={...}, gx_device_s * dev=0x0345df48, const gx_device_color_s * pdevc=0x032fe110) Line 1012 gx_dc_pat_trans_fill_rectangle(const gx_device_color_s * pdevc=0x032fe110, int x=0x000005f5, int y=0x00000033, int w=0x00000005, int h=0x00000001, gx_device_s * dev=0x0345df48, unsigned int lop=0x000000fc, const gx_rop_source_s * source=0x00000000) Line 961 gx_dc_default_fill_masked(const gx_device_color_s * pdevc=0x032fe110, const unsigned char * data=0x0345df20, int data_x=0x00000015, int raster=0x00000014, unsigned long id=0x00000000, int x=0x000005f5, int y=0x00000033, int w=0x00000069, int h=0x00000001, gx_device_s * dev=0x0345df48, unsigned int lop=0x000000fc, int invert=0x00000001) Line 1054 copy_portrait(gx_image_enum_s * penum=0x02755290, const unsigned char * data=0x0345df20, int dx=0x00000015, int raster=0x00000014, int x=0x000005f5, int y=0x00000033, int w=0x00000069, int h=0x00000001, gx_device_s * dev=0x0345df48) Line 529 image_render_simple(gx_image_enum_s * penum=0x02755290, const unsigned char * buffer=0x033e29c8, int data_x=0x00000000, unsigned int w=0x00000060, int h=0x00000001, gx_device_s * dev=0x0345df48) Line 639 pdf14_pattern_trans_render(gx_image_enum_s * penum=0x02755290, const unsigned char * buffer=0x033e29c8, int data_x=0x00000000, unsigned int w=0x00000060, int h=0x00000001, gx_device_s * dev=0x0345df48) Line 2688 gx_image1_plane_data(gx_image_enum_common_s * info=0x02755290, const gx_image_plane_s * planes=0x000cb4c0, int height=0x00000031, int * rows_used=0x000c929c) Line 212 gx_image_plane_data_rows(gx_image_enum_common_s * info=0x02755290, const gx_image_plane_s * planes=0x000cb4c0, int height=0x00000031, int * rows_used=0x000c929c) Line 183 gx_image_plane_data(gx_image_enum_common_s * info=0x02755290, const gx_image_plane_s * planes=0x000cb4c0, int height=0x00000031) Line 175 clist_playback_band(int playback_action=0x00000000, gx_device_clist_reader_s * cdev=0x02559d98, stream_s * s=0x000cd24c, gx_device_s * target=0x03400368, int x0=0x00000000, int y0=0x00000360, gs_memory_s * mem=0x02544ff8) Line 1515 clist_playback_file_bands(int action=0x00000000, gx_device_clist_reader_s * crdev=0x02559d98, gx_band_page_info_s * page_info=0x0255a308, gx_device_s * target=0x033e1d40, int band_first=0x00000010, int band_last=0x00000010, int x0=0x00000000, int y0=0x00000360) Line 910 clist_render_rectangle(gx_device_clist_s * cldev=0x02559d98, const gs_int_rect_s * prect=0x000cd8d8, gx_device_s * bdev=0x033e1d40, const gx_render_plane_s * render_plane=0x000cdaa8, int clear=0x00000001) Line 841 clist_rasterize_lines(gx_device_s * dev=0x02559d98, int y=0x00000360, int line_count=0x00000001, gx_device_s * bdev=0x033e1d40, const gx_render_plane_s * render_plane=0x000cdaa8, int * pmy=0x000cda88) Line 739 clist_get_bits_rectangle(gx_device_s * dev=0x02559d98, const gs_int_rect_s * prect=0x000cdda4, gs_get_bits_params_s * params=0x000ce034, gs_int_rect_s * * unread=0x00000000) Line 628 clist_get_bits_rect_mt(gx_device_s * dev=0x02559d98, const gs_int_rect_s * prect=0x000cdda4, gs_get_bits_params_s * params=0x000ce034, gs_int_rect_s * * unread=0x00000000) Line 644 gx_downscaler_get_bits_rectangle(gx_downscaler_s * ds=0x000cdedc, gs_get_bits_params_s * params=0x000ce034, int row=0x00000360) Line 1877 psd_write_image_data(psd_write_ctx * xc=0x000ce174, gx_device_printer_s * pdev=0x02559d98) Line 1397 psd_print_page(gx_device_printer_s * pdev=0x02559d98, _iobuf * file=0x1101b9d0) Line 1449
Here's the valgrind output: ==19448== Memcheck, a memory error detector ==19448== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==19448== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==19448== Command: ./valgrind/bin/gs -sOutputFile=/dev/null -dMaxBitmap=10000 -sDEVICE=psdcmyk -r300 -sDEFAULTPAPERSIZE=letter -dNOPAUS E -dBATCH -K1000000 -dJOBSERVER ./tests_private/comparefiles/Bug693365.pdf ==19448== GPL Ghostscript GIT PRERELEASE 9.11 (2013-08-30) Copyright (C) 2013 Artifex Software, Inc. All rights reserved. This software comes with NO WARRANTY: see the file PUBLIC for details. Processing pages 1 through 1. Page 1 Loading NimbusSanL-Bold font from %rom%Resource/Font/NimbusSanL-Bold... 4052156 2324087 2838784 1487681 3 done. ==19448== Syscall param write(buf) points to uninitialised byte(s) ==19448== at 0x603D92D: ??? (syscall-template.S:82) ==19448== by 0x5FD0882: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1289) ==19448== by 0x5FD0749: new_do_write (fileops.c:543) ==19448== by 0x5FD11FD: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1383) ==19448== by 0x5FC6CDC: fwrite (iofwrite.c:45) ==19448== by 0x722167: clist_fwrite_chars (gxclfile.c:74) ==19448== by 0x705D3D: cmd_write_band (gxclutil.c:198) ==19448== by 0x706097: cmd_write_buffer (gxclutil.c:277) ==19448== by 0x706579: cmd_get_buffer_space (gxclutil.c:369) ==19448== by 0x71676A: cmd_put_drawing_color (gxclpath.c:198) ==19448== by 0x712868: clist_image_plane_data (gxclimag.c:1282) ==19448== by 0xA53D90: gx_image_plane_data_rows (gximage.c:183) ==19448== Address 0xb4cfa58 is 1,366,552 bytes inside a block of size 4,000,048 alloc'd ==19448== at 0x4C2B6CD: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==19448== by 0x963D20: gs_heap_alloc_bytes (gsmalloc.c:183) ==19448== by 0x6DEAFD: gdev_prn_setup_as_command_list (gdevprn.c:178) ==19448== by 0x6DF539: gdev_prn_allocate (gdevprn.c:409) ==19448== by 0x6DF97D: gdev_prn_allocate_memory (gdevprn.c:496) ==19448== by 0x6DE87C: gdev_prn_open (gdevprn.c:89) ==19448== by 0x79B176: gdev_prn_open_planar (gdevppla.c:55) ==19448== by 0x825E61: psd_prn_open (gdevpsd.c:449) ==19448== by 0x949841: gs_opendevice (gsdevice.c:393) ==19448== by 0x949B83: gs_setdevice_no_erase (gsdevice.c:505) ==19448== by 0x57FC4E: zputdeviceparams (zdevice.c:445) ==19448== by 0x5373DC: do_call_operator (interp.c:86) ==19448== ==19448== Syscall param write(buf) points to uninitialised byte(s) ==19448== at 0x603D92D: ??? (syscall-template.S:82) ==19448== by 0x5FD0882: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1289) ==19448== by 0x5FD0749: new_do_write (fileops.c:543) ==19448== by 0x5FD1EB4: _IO_do_write@@GLIBC_2.2.5 (fileops.c:516) ==19448== by 0x5FD1024: _IO_file_xsputn@@GLIBC_2.2.5 (fileops.c:1371) ==19448== by 0x5FC6CDC: fwrite (iofwrite.c:45) ==19448== by 0x722167: clist_fwrite_chars (gxclfile.c:74) ==19448== by 0x705D3D: cmd_write_band (gxclutil.c:198) ==19448== by 0x706097: cmd_write_buffer (gxclutil.c:277) ==19448== by 0x706579: cmd_get_buffer_space (gxclutil.c:369) ==19448== by 0x71676A: cmd_put_drawing_color (gxclpath.c:198) ==19448== by 0x712868: clist_image_plane_data (gxclimag.c:1282) ==19448== Address 0x40280a0 is not stack'd, malloc'd or (recently) free'd ==19448== ==19448== Use of uninitialised value of size 8 ==19448== at 0x602A4B: pdf14_pattern_trans_render (gdevp14.c:2760) ==19448== by 0xA50A6F: gx_image1_plane_data (gxidata.c:211) ==19448== by 0xA53D90: gx_image_plane_data_rows (gximage.c:183) ==19448== by 0xA53D57: gx_image_plane_data (gximage.c:175) ==19448== by 0x6F3C50: clist_playback_band (gxclrast.c:1514) ==19448== by 0x6FD933: clist_playback_file_bands (gxclread.c:910) ==19448== by 0x6FD4D1: clist_render_rectangle (gxclread.c:837) ==19448== by 0x6FD072: clist_rasterize_lines (gxclread.c:738) ==19448== by 0x6FCB7A: clist_get_bits_rectangle (gxclread.c:628) ==19448== by 0x71F012: clist_get_bits_rect_mt (gxclthrd.c:644) ==19448== by 0x6E6C94: gx_downscaler_get_bits_rectangle (gxdownscale.c:1877) ==19448== by 0x828292: psd_write_image_data (gdevpsd.c:1397) ==19448== ==19448== Use of uninitialised value of size 8 ==19448== at 0x5239B2: tile_by_steps_trans (gxp1fill.c:687) ==19448== by 0x524A46: gx_trans_pattern_fill_rect (gxp1fill.c:1011) ==19448== by 0x5245E8: gx_dc_pat_trans_fill_rectangle (gxp1fill.c:959) ==19448== by 0xA36197: gx_dc_default_fill_masked (gxdcolor.c:1053) ==19448== by 0xA52E81: copy_portrait (gxifast.c:527) ==19448== by 0xA53462: image_render_simple (gxifast.c:638) ==19448== by 0x602A4D: pdf14_pattern_trans_render (gdevp14.c:2760) ==19448== by 0xA50A6F: gx_image1_plane_data (gxidata.c:211) ==19448== by 0xA53D90: gx_image_plane_data_rows (gximage.c:183) ==19448== by 0xA53D57: gx_image_plane_data (gximage.c:175) ==19448== by 0x6F3C50: clist_playback_band (gxclrast.c:1514) ==19448== by 0x6FD933: clist_playback_file_bands (gxclread.c:910) ==19448== ==19448== Invalid read of size 8 ==19448== at 0x523A3C: tile_rect_trans_simple (gxp1fill.c:720) ==19448== by 0x5239B4: tile_by_steps_trans (gxp1fill.c:687) ==19448== by 0x524A46: gx_trans_pattern_fill_rect (gxp1fill.c:1011) ==19448== by 0x5245E8: gx_dc_pat_trans_fill_rectangle (gxp1fill.c:959) ==19448== by 0xA36197: gx_dc_default_fill_masked (gxdcolor.c:1053) ==19448== by 0xA52E81: copy_portrait (gxifast.c:527) ==19448== by 0xA53462: image_render_simple (gxifast.c:638) ==19448== by 0x602A4D: pdf14_pattern_trans_render (gdevp14.c:2760) ==19448== by 0xA50A6F: gx_image1_plane_data (gxidata.c:211) ==19448== by 0xA53D90: gx_image_plane_data_rows (gximage.c:183) ==19448== by 0xA53D57: gx_image_plane_data (gximage.c:175) ==19448== by 0x6F3C50: clist_playback_band (gxclrast.c:1514) ==19448== Address 0x58 is not stack'd, malloc'd or (recently) free'd ==19448== ==19448== ==19448== Process terminating with default action of signal 11 (SIGSEGV) ==19448== Access not within mapped region at address 0x58 ==19448== at 0x523A3C: tile_rect_trans_simple (gxp1fill.c:720) ==19448== by 0x5239B4: tile_by_steps_trans (gxp1fill.c:687) ==19448== by 0x524A46: gx_trans_pattern_fill_rect (gxp1fill.c:1011) ==19448== by 0x5245E8: gx_dc_pat_trans_fill_rectangle (gxp1fill.c:959) ==19448== by 0xA36197: gx_dc_default_fill_masked (gxdcolor.c:1053) ==19448== by 0xA52E81: copy_portrait (gxifast.c:527) ==19448== by 0xA53462: image_render_simple (gxifast.c:638) ==19448== by 0x602A4D: pdf14_pattern_trans_render (gdevp14.c:2760) ==19448== by 0xA50A6F: gx_image1_plane_data (gxidata.c:211) ==19448== by 0xA53D90: gx_image_plane_data_rows (gximage.c:183) ==19448== by 0xA53D57: gx_image_plane_data (gximage.c:175) ==19448== by 0x6F3C50: clist_playback_band (gxclrast.c:1514) ==19448== If you believe this happened as a result of a stack ==19448== overflow in your program's main thread (unlikely but ==19448== possible), you can try to increase the size of the ==19448== main thread stack using the --main-stacksize= flag. ==19448== The main thread stack size used in this run was 8388608. ==19448== ==19448== HEAP SUMMARY: ==19448== in use at exit: 16,891,587 bytes in 1,086 blocks ==19448== total heap usage: 11,343 allocs, 10,257 frees, 298,953,481 bytes allocated ==19448== ==19448== LEAK SUMMARY: ==19448== definitely lost: 0 bytes in 0 blocks ==19448== indirectly lost: 0 bytes in 0 blocks ==19448== possibly lost: 0 bytes in 0 blocks ==19448== still reachable: 16,891,587 bytes in 1,086 blocks ==19448== suppressed: 0 bytes in 0 blocks ==19448== Rerun with --leak-check=full to see details of leaked memory ==19448== ==19448== For counts of detected and suppressed errors, rerun with: -v ==19448== Use --track-origins=yes to see where uninitialised values come from ==19448== ERROR SUMMARY: 651 errors from 5 contexts (suppressed: 2 from 2) Segmentation fault (core dumped)
Created attachment 10484 [details] Bug693365_simpler.pdf A more simplified file
Created attachment 10485 [details] simple6.pdf Even simpler file that still fails. This fails in a different place in the transparency handling, suggesting a memory problem.
Created attachment 10487 [details] easy5.pdf Simplified file that crashes even after the fix for simple6.pdf is in.
The file easy5.pdf has four mask images each filled with the same pattern. During clist writing we see the following occur. Begin Image 1 Band 12 full pattern written Band 13 full pattern written Band 10 full pattern written Band 11 full pattern written Begin Image 2 Band 13 pattern id written Band 12 pattern id written Band 10 pattern id written Band 11 pattern id written Begin Image 3 Band 10 pattern id written Band 11 pattern id written Band 12 pattern id written Band 13 pattern id written Begin Image 4 Band 17 full pattern written (pre->nbands = 1) Band 13 pattern id written Band 14 full pattern written to ALL bands (pre->nbands = 5) Band 15 pattern id written Band 16 pattern id written Note that when processing Image 4, we see that the pattern is written out to band 17 twice. Once to Band 17 and once to all bands when we go out to Band 14. This is the source of part of our problem. During the reading of band 17, we end up reading the pattern that we will tile with twice. The size of the tile is such that the pattern cache will hold only 1 tile. So during the second read we remove the current tile and replace it with the same tile. For tiling with pattern tiles that include transparency, the tile has a pointer to the transparency group in which it is tiling into. This is the fill_trans_buffer pointer. When we destroy the pattern in the cache, we lose this pointer and we do not have it for the new tile that takes its place. Two possible solutions for this are to 1) avoid the writing of the pattern to all bands after we already did a write to a single band for that image or 2) store the fill_trans_buffer pointer someplace different than the tile and make sure we can get to it during the transparency tiling process.
Fixed in commit 72713e784ddaea275498a67e25ab77aedbc0eb9b Fix bug 69365: Write pattern colors to all bands consistently for images. Thanks to Michael Vrhel for tracking this down. If a transparent pattern color is written to all bands after having been written to a band for an image, the transparency fill_trans_buffer will be NULL because the group for the image was pushed at 'begin_typed_image' time. We now write the color to all_bands based on the image extent, consistently.